Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0093.2 A new Ransomware variant with worm like capabilities has infected many companies in Europe and a couple in the United States. 28 June 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2017-0144 CVE-2017-0199 Member content until: Friday, July 28 2017 Reference: ASB-2017.0033.2 ESB-2017.0661 Revision History: June 28 2017: Major updates and added Indicators of Compromise (IoC) June 28 2017: Initial Release OVERVIEW A new Ransomware variant with worm like capabilities has infected many companies in Europe and a couple in the United States. The media is calling it "Petya" but it is not similar to the Petya variants seen before. [1] Cisco's TALOS group have given the following additional details on the propagation methods[6]. "As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise. The malware has three mechanisms used to propagate once a device is infected: EternalBlue - the same exploit used by WannaCry. Psexec - a legitimate Windows administration tool. WMI - Windows Management Instrumentation, a legitimate Windows component. These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. For systems that have not had MS17-010 applied, the EternalBlue exploit is leveraged to compromise systems. We have written about this previously in our coverage of WannaCry. Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token to install the malware on the networked device. Talos is still investigating the methods in which the "current user's windows token" is retrieved from the machine. C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1 WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password). Talos is still investigating how the credentials are retrieved from the machine at this time. Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1" IMPACT According to our colleagues at BI.ZONE-CERT and the Hybrid Analysis report of the malware sample [2]: "The malware clears system logs using the following command: "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" to make further analysis more difficult. It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner ("schtasks" and "at" commands). After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted). If the computer is shut down before the reload, MBR can be reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows XP "fixmbr" can be used). In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk, djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova, ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs, vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip." MITIGATION Most Anti-Virus vendors now have signatures for this ransomware sample but other samples with similar characteristics may not have proper detection rates. [3] We recommend patching for the MS17-010 (CVE-2017-0144) vulnerability of all your Windows machines if it has not be done yet. [4] Microsoft has also advised on how to disable smbv1 which can be an additional mitigation. [5] A potential (unverified by AusCERT) kill switch has been found within the samples: The creation of the file "C:\Windows\perfc". [7] Additional information shows that the killswitch requires the following: "Simply, all that is needed are 3 files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions." [8] We would like to stress that paying the ransom will not result in the decryption key being handed over. INDICATORS category type value comment Artifacts dropped named pipe {df458642-df8b-4131-b02d-32064a2f4c19} Payload delivery sha256 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f 64-bit EXE Payload delivery sha256 eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 32-bit EXE Payload delivery sha256 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 main 32-bit DLL Payload delivery sha256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 main 32-bit DLL => Ref: petwrap.exe Network activity ip-dst 95.141.115.108 Network activity domain coffeinoffice.xyz Network activity ip-dst 185.165.29.78 Network activity domain french-cooking.com Network activity domain sundanders.online Network activity ip-dst 84.200.16.242 Network activity ip-dst 111.90.139.247 Payload delivery filename dllhost.dat Internal reference text "Initial Information provided by CIRCL.LU" Network activity url http[:]//french-cooking[.]com/myguy[.]exe Ref: myguy.xls Payload delivery filename myguy.xls Network activity url http[:]//84[.]200[.]16[.]242/myguy[.]xls Ref : Order-20062017.doc Payload delivery filename Order-20062017.doc Artifacts dropped filename myguy[1].hta Payload delivery sha256 fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206 Ref : Order-20062017.doc Payload delivery sha256 ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6 Ref : myguy.xls Artifacts dropped filename C:\0487382a4daf8eb9660f1c67e30f8b25.hta Ref : myguy.xls Payload delivery filename petwrap.exe Ref : Downloaded exe from activity of myguy.xls Artifacts dropped filename C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll Ref : petwrap.exe External analysis link https://www.hybrid-analysis.com/sample/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206?environmentId=100 Ref : Order-20062017.doc Antivirus detection link https://www.virustotal.com/en/file/fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206/analysis/ Ref : Order-20062017.doc External analysis link https://www.hybrid-analysis.com/sample/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6?environmentId=100 Ref : myguy.xls Antivirus detection link https://www.virustotal.com/en/file/ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6/analysis/ Ref : myguy.xls External analysis link https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 Ref : petwrap.exe Antivirus detection link https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ Ref : petwrap.exe Network activity url http://84[.]200[.]16[.]242/Profoma[.]xls 2nd Stage Network activity url http://84[.]200[.]16[.]242/Lucky[.]exe 2nd Stage REFERENCES [1] Petya Ransomware Outbreak Goes Global https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/ [2] petwrap.exe https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 [3] 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/ [4] Microsoft Security Bulletin MS17-010 - Critical https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [5] How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows [6] Unverified kill switch for WMI pivot https://twitter.com/0xAmit/status/879778335286452224 [7] PETYA KillSwitch https://github.com/petermbenjamin/petya-killswitch AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWVMqFIx+lLeg9Ub1AQhArxAAiRJHpnW22yPex0yOnNOX3VsTXCmYDRQU wNmKUKXBtXK4AWEoAjfWzT4+z6X7KFpdany47a4gLi+CYyd2mCUP6JZbdKEFnOcB XmZ8SVGrBGnW81Fa8fKQ6bYluuO3ctSuvQNEaCwCmfw6yzYzhxCDhMMLWK5gwbGR /t83JhUJhyIvXwwst7DmFU4k691iD28dYYSaURwrGC3rmegRuWMhJE4cN5pdywbQ jrWX72DDUq/9wDAoLiYvegHyRg73fGNZ6jRu7iqLjiBI/0iVny6O7SuUD6ph39xD spluf1rGpgfPD5Oz2f1v/vib39sNSPb2mYrAZAecpMI3j5O0e69NzU1LSvVwoDna OKW6mWvS4+aTx+Ch/mFk9kCM/7Gp68NcEZXzrZ1lzldw00L+WRwXJs0KtprLgFwF 5COYty/Bh4+udwrSBhD6WxJCPDTuBQm9uASS40str4gWddMSFFZYjMffo5M52UoQ 0uvrPyTusXC6uOixvpbWG5Mx1cX7KHtw4yFTtMX8SzCUqu0tZ6pUntVD2V/9+cO9 KRXcvkJTOSZU5oqwxAw69NOMbhDimVykrS/36xfm9fBd3C0/U6vRL8lHgvQDAqF0 dt//SfdvIZP/TRzHtHUctAuaKC8OwADyRhm5utbilVmLey6d5R1JUSky8HCja/Lq mK2Lh0OxBKE= =sbk3 -----END PGP SIGNATURE-----